US9098685B2 - Flexible method of user authentication - Google Patents

Flexible method of user authentication Download PDF

Info

Publication number
US9098685B2
US9098685B2 US10/847,884 US84788404A US9098685B2 US 9098685 B2 US9098685 B2 US 9098685B2 US 84788404 A US84788404 A US 84788404A US 9098685 B2 US9098685 B2 US 9098685B2
Authority
US
United States
Prior art keywords
workstation
data
security
user
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Lifetime, expires
Application number
US10/847,884
Other versions
US20040215980A1 (en
Inventor
Laurence Hamid
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ActivCard Ireland Ltd
HID Global Corp
Intellectual Ventures I LLC
Original Assignee
ActivCard Ireland Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Family has litigation
First worldwide family litigation filed litigation Critical https://patents.darts-ip.com/?family=34979755&utm_source=google_patent&utm_medium=platform_link&utm_campaign=public_patent_search&patent=US9098685(B2) "Global patent litigation dataset” by Darts-ip is licensed under a Creative Commons Attribution 4.0 International License.
PTAB case IPR2017-00338 filed (Final Written Decision) litigation https://portal.unifiedpatents.com/ptab/case/IPR2017-00338 Petitioner: "Unified Patents PTAB Data" by Unified Patents is licensed under a Creative Commons Attribution 4.0 International License.
US case filed in Massachusetts District Court litigation https://portal.unifiedpatents.com/litigation/Massachusetts%20District%20Court/case/1%3A20-cv-10292 Source: District Court Jurisdiction: Massachusetts District Court "Unified Patents Litigation Data" by Unified Patents is licensed under a Creative Commons Attribution 4.0 International License.
US case filed in Massachusetts District Court litigation https://portal.unifiedpatents.com/litigation/Massachusetts%20District%20Court/case/1%3A16-cv-10860 Source: District Court Jurisdiction: Massachusetts District Court "Unified Patents Litigation Data" by Unified Patents is licensed under a Creative Commons Attribution 4.0 International License.
US case filed in Court of Appeals for the Federal Circuit litigation https://portal.unifiedpatents.com/litigation/Court%20of%20Appeals%20for%20the%20Federal%20Circuit/case/2021-1399 Source: Court of Appeals for the Federal Circuit Jurisdiction: Court of Appeals for the Federal Circuit "Unified Patents Litigation Data" by Unified Patents is licensed under a Creative Commons Attribution 4.0 International License.
US case filed in Court of Appeals for the Federal Circuit litigation https://portal.unifiedpatents.com/litigation/Court%20of%20Appeals%20for%20the%20Federal%20Circuit/case/2020-2280 Source: Court of Appeals for the Federal Circuit Jurisdiction: Court of Appeals for the Federal Circuit "Unified Patents Litigation Data" by Unified Patents is licensed under a Creative Commons Attribution 4.0 International License.
US case filed in Court of Appeals for the Federal Circuit litigation https://portal.unifiedpatents.com/litigation/Court%20of%20Appeals%20for%20the%20Federal%20Circuit/case/2018-2288 Source: Court of Appeals for the Federal Circuit Jurisdiction: Court of Appeals for the Federal Circuit "Unified Patents Litigation Data" by Unified Patents is licensed under a Creative Commons Attribution 4.0 International License.
Priority claimed from US09/625,548 external-priority patent/US7137008B1/en
Priority to US10/847,884 priority Critical patent/US9098685B2/en
Application filed by ActivCard Ireland Ltd filed Critical ActivCard Ireland Ltd
Publication of US20040215980A1 publication Critical patent/US20040215980A1/en
Assigned to ACTIVCARD INC. reassignment ACTIVCARD INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: HAMID, LAURENCE
Priority to EP05291070A priority patent/EP1603003A1/en
Assigned to ACTIVCARD CORP. reassignment ACTIVCARD CORP. LICENSE AGREEMENT Assignors: DISCOBOLUS MANAGEMENT, LLC
Assigned to ACTIVIDENTITY, INC. reassignment ACTIVIDENTITY, INC. CHANGE OF NAME (SEE DOCUMENT FOR DETAILS). Assignors: ACTIVCARD, INC.
Publication of US9098685B2 publication Critical patent/US9098685B2/en
Application granted granted Critical
Assigned to PETA HOLDINGS, LLC reassignment PETA HOLDINGS, LLC LICENSE (SEE DOCUMENT FOR DETAILS). Assignors: ACTIVCARD CORP.
Assigned to ACTIVIDENTITY CORPORATION reassignment ACTIVIDENTITY CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: ACTIVIDENTITY, INC.
Assigned to PETA HOLDINGS, LLC reassignment PETA HOLDINGS, LLC LICENSE (SEE DOCUMENT FOR DETAILS). Assignors: ACTIVCARD IRELAND LIMITED, ACTIVCARD, INC.
Assigned to HID GLOBAL CORPORATION reassignment HID GLOBAL CORPORATION MERGER (SEE DOCUMENT FOR DETAILS). Assignors: ACTIVIDENTITY CORPORATION
Assigned to INTELLECTUAL VENTURES I LLC reassignment INTELLECTUAL VENTURES I LLC ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: PETA HOLDINGS, LLC
Adjusted expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database

Definitions

  • This invention relates generally to authorization of individuals and more particularly relates to a method of authorizing a user at a workstation according to a security policy that is dependent upon previously stored policy data and data relating to the workstation that is for use by the user.
  • Pre-set codes are often forgotten, as users have no reliable method of remembering them. Writing down the codes and storing them in close proximity to an access control device (i.e. the combination lock) results in a secured access control system with a very insecure code. Alternatively, the nuisance of trying several code variations renders the access control system more of a problem than a solution.
  • an access control device i.e. the combination lock
  • Password systems are known to suffer from other disadvantages. Usually, a user specifics passwords. Most users, being unsophisticated users of security systems, choose passwords that are relatively insecure. As such, many systems protected by passwords are easily accessed through a simple trial and error process.
  • a security access system that provides substantially secured access and does not require a password or access code is a biometric identification system.
  • a biometric identification system accepts unique biometric information from a user and identifies the user by matching the information against information belonging to registered users of the system.
  • One such biometric identification system is a fingerprint recognition system.
  • a finger tip In a fingerprint input transducer or sensor, a finger tip is usually pressed against a flat surface, such as a side of a glass plate. The ridge and valley pattern of the finger tip is sensed by a sensing means such as an interrogating light beam. Fingerprint characterization is well known and involves many aspects of fingerprint analysis.
  • the user Upon a prospective user wishing to gain access to the protected system the user must interface with the system, which compares the prospective user's biometric data to the stored reference data. This comparison must not only be acceptably close in similarity in order to gain access to the protected system, it must also continue to be close in subsequent comparisons in order for access to the protected system or device to continue.
  • Computer networks typically store information such as user profiles, user authorization for access and vast amounts of data.
  • End user terminals are a critical component of the computer network, in that they provide external access to the network by offering a means of transmitting input data to the network and by offering a means of reading information from the network.
  • Each of these terminals poses a security risk to data stored on the network and controlling unauthorized access to the data stored on the network is of critical importance.
  • biometric authentication is a secured means of identifying a user, it has not penetrated the marketplace sufficiently to be implemented on most desktop computers.
  • most end user terminals are not equipped with a biometric data input device. Since most forms of biometric authentication require specialized hardware, market penetration is slow and requires both acceptance of the new hardware and a pressing need.
  • Typical uses of user authentication include system access, user identification, and access to a secured key database. Often a secured key database is encrypted with a key that is accessible through user authentication or identification.
  • Key management systems are well known.
  • One such system by Entrust® Technologies Limited, is currently commercially available.
  • current key management systems are designed for installation on a single computer for use with a single fixed user authorization method and for portability between computers having a same configuration.
  • implementation of enhanced security through installation of biometric input devices is costly and greatly limits portability of key databases.
  • Password based protection of key databases is undesirable because of the inherent insecure nature of most user selected passwords.
  • a method of authorizing a user in communication with a workstation comprising: providing data relating to the workstation to the server; determining at the server based upon the data relating to the workstation and on previously stored policy data at least an authorization method for authorizing the user; receiving by the workstation of user data from the user; and, registering the user data against previously stored user data in accordance with the determined at least an authorization method to perform at least one of identifying and authorizing the user in dependence upon the data relating to the workstation.
  • a method of authorizing a user for providing secure access to a data with a predetermined level of security providing a workstation in communication with a server; providing first data from the workstation to the server, the first data relating to the workstation, the first data being different for a same workstation under different security affecting operating conditions; determining based on the first data and a security policy, an authorization method for use by a user of the workstation, the authorization method for providing at least the predetermined level of security in light of the first data and selected from a plurality of authorization methods; and authorizing a user of the workstation in accordance with the authorization method for providing access to second data from the server, the provided access having at least the predetermined level of security.
  • a system for authorizing a user for providing secure access to a data with a predetermined level of security comprising: a workstation in communication with a server; means for providing first data from the workstation to the server, the first data relating to the workstation, the first data being different for a same workstation under different security affecting operating conditions; means for determining based on the first data and a security policy, an authorization method for use by a user of the workstation, the authorization method for providing at least the predetermined level of security in light of the first data and selected from a plurality of authorization methods; and means for authorizing a user of the workstation in accordance with the authorization method for providing access to second data from the server, the provided access having at least the predetermined level of security.
  • the programmatic information to perform one or more of the above described methods may be stored in a tangible form including optical storage media, magnetic storage media, or logical storage media.
  • the programmatic information includes compiled object code, compilable source code or byte code, or interpretable source or byte code.
  • FIG. 1 illustrates a flow diagram of a prior art method of accessing secured data
  • FIG. 2 illustrates a flow diagram of a prior art method of accessing secured data
  • FIG. 3 a illustrates a simplified diagram of a network, that includes a local workstation, in accordance with an embodiment of the present invention
  • FIG. 3 b illustrates a simplified diagram of a network, that includes a remote workstation, in accordance with an embodiment of the present invention
  • FIG. 4 illustrates a first flow diagram of a method of performing user authentication in accordance with an embodiment of the invention.
  • FIG. 5 illustrates a second flow diagram of a method of performing user authentication in accordance with an embodiment of the invention.
  • a key data file comprises a cryptographic key, which is secured using a biometric authentication method.
  • biometric authentication is required to access the cryptographic key.
  • the cryptographic key is encrypted using a key secured by the biometric information.
  • the secured cryptographic key is accessed, the cryptographic key is decrypted and the decrypted cryptographic key is used to encrypt or decrypt data files.
  • the method of accessing the cryptographic key is predetermined and is unchanging in nature.
  • key data files are typically transportable in the form of an encrypted data file containing the key data and security data necessary to access the encrypted data file.
  • each other computer system to which the key data file is transported must support a same authentication process in order to provide access to the key data file.
  • the user authorization method for accessing the secured key cannot be executed and the secured key is not accessible. Without the secured key, the encrypted cryptographic key data cannot be accessed when desired.
  • a method of extracting the keys from the key data file absent user authentication is necessary. Such a method is not desirable since it greatly reduces security.
  • This exemplary problem is analogous to problems in network access, file access, network security, document authentication, and so forth.
  • FIG. 2 a prior art method of accessing secured data using a smart card based verification process, but absent a biometric verification process, is shown.
  • a user password or card based user authentication
  • a smart card having a key data file stored therein is placed into a smart card reader.
  • a user is prompted for user authentication in the form of a user password.
  • Once the user password is verified, access to the cryptographic key is permitted and encrypted data files are accessible.
  • One such method is to employ the password or a predetermined portion thereof as a key for encrypting the cryptographic key.
  • Another such method involves providing access to a secured key upon verification of the password and using the secured key to access the cryptographic key.
  • FIGS. 3 a , 3 b a simplified diagram of a computer network 300 that includes a workstation 10 comprising a monitor 11 and a keyboard 12 connected to a server 13 through a communication link 15 is shown in accordance with a first embodiment of the invention.
  • a user data input device 14 is coupled to the workstation 10 for communicating therewith.
  • the user data input device 14 is in the form of, for example, a smart card reader, a biometric sampling device such as a fingerprint imager, a voice recognition system, a retinal imager or the like.
  • the keyboard 12 utilized for optionally typing a password when added security is concerned.
  • the computer network 300 comprises a security server 13 for storing of policy data and a data server 19 for providing of secured data to the workstation 10 using the communication link 15 .
  • the security server 13 is also for controlling access to secured data stored on the data server 19 .
  • a mobile workstation 10 a is shown that is connected to the security server 13 using an unsecured communication link 15 a , which is, for example, provided by, at least in part, using a wireless connection, or a telephone line connection, or some other form of publicly used connection.
  • This type of connection is differentiated from communication link 15 in that communication link is 15 is of the type typically found in a secured environment, such as a military headquarters.
  • the mobile workstation 10 a includes a keyboard 12 a , a portable user data input device 14 a , a display 11 a and a communication link for communicating with the secured server using the unsecured communication link 15 a.
  • a user desiring access to secured data stored in the data server 19 of the computer network 300 provides their user information to the user data input device, 14 or 14 a , which is in communication with the workstation 10 , or mobile workstation 10 a , respectively.
  • the workstation 10 or 10 a Upon the provision of their information to the user data input device 14 or 14 a , the workstation 10 or 10 a provides the user data and workstation data to the security server 13 via the communication link, 15 or 15 a , respectively.
  • an at least an authorization method for authorizing the user is determined. Furthermore the security server performs an operation of registering the user data against previously stored user data in accordance with the determined at least an authorization method. Thereafter, the security server identifies the user and optionally authorizes the user to access secured data in dependence upon the data relating to the workstation and the user data.
  • the security policy is determined from a plurality of predetermined security policies based on previously stored policy data and data relating to the workstation, where determining of the at least an authorization method for the user is according to the determined security policy.
  • the authorization method is varied because a security policy that depends upon the previously stored policy data and the user data is different.
  • the user does not necessarily have access to secured data stored on the server 19 .
  • the user is denied access to the secured data.
  • the workstation, 10 or 10 a transforms the user information in such a manner that it is transmittable using the communication link, 15 or 15 a , even when the communication link, 15 or 15 a , is unsecured.
  • the transformation of the user data is such that it is transmitted along with other data risking potential deciphering of the user information during transmission.
  • Such transformation includes, for example, encrypting or hashing the user information using keys or hashing algorithms.
  • FIG. 4 illustrates a flowchart in accordance with the preferred embodiment of the invention for a method of obtaining secured access to secured data stored on the server 19 that forms part of the computer network 300 .
  • the method is based on previously stored policy data, which determines the at least an authorization method for authorizing the user.
  • the previously stored policy data takes into account a type of user data input device, 14 or 14 a , a geographical location of the workstation, 10 or 10 a , and the type of communication link 15 or 15 a between the workstation 10 or 10 a and the security server 13 .
  • steps for authorizing of a user in communication with a workstation, 10 or 10 a are shown.
  • the user interacts with the user data input device 14 or 14 a , the workstation, 10 or 10 a , receives 20 user data from the user data input device, 14 or 14 a , in communication with the workstation, 10 or 10 a.
  • an at least an authorization method for authorizing the user is determined 21 .
  • the user data is then registered 22 against previously stored user data in accordance with the determined at least an authorization method to perform at least one of identifying and authorizing the user in dependence upon the data relating to the workstation.
  • the security server 13 determines different methods for authorization the user and in dependence upon. Granting the user access 23 to the secured data is in accordance with the determined at least an authorization method. For example, the identifying and authorizing of the user is dependent upon a geographical location of the mobile workstation 10 a.
  • the previously stored policy data determines the type of user data that is required from the security device. Further optionally, the authentication of the user is dependent upon a time that the request for authentication is being made. If, for example, the stored policy data determines that the type of request and the type of communication link between the workstation, 10 or 10 a , and the security server 13 requires added security, then the user is prompted to provide user data to the user data input device at random intervals. Examples of user data are biometric data and password data, but are not limited thereto.
  • a further authorization method is determined in dependence upon a further set of user data received from a further user data input device.
  • the workstation, 10 or 10 a receives biometric data from the user data input device in the form of a fingertip contact imaging sensor and additionally prompts the user for a password to be entered on the keyboard, 12 or 12 a.
  • an attempt to access secured data or perform an operation is detected by the security processor 16 pertaining to the computer network 300 .
  • a processor from the workstation 10 determines the type of user data input device, 14 or 14 a , connected to the workstation and sends user data to the security processor 16 .
  • the user is authorized to perform operations only within predetermined limits indicated by the security level.
  • policy data is dependent upon any plurality of parameters about the workstation, 10 or 10 a , and its communication link, 15 or 15 a , to the security server 13 .
  • a geographical location of the workstation, 10 or 10 a is used for forming a portion of the previously stored policy data.
  • a user ID optionally forms a portion of the previously stored policy data.
  • Other examples of parameters that affect the previously stored policy data are: the date, the time, the day of the week, the country, the data being accessed, the communication link, 15 or 15 a , between the workstation, 10 or 10 a , and the security server 13 , the available user data input devices, 14 or 14 a , the type of secured data being requested from the data server 19 , and so forth.
  • a portable workstation 10 a that is presently geographically located in a less than secured location, preferably utilizes “high” security authentication process while the same workstation, for example workstation 10 , within a corporate headquarters utilizes a more “normal” level of security authentication.
  • a user makes 30 a request to access the computer network 300 using the workstation, 10 or 10 a , and the user data input device, 14 .
  • the workstation 10 records 31 a request for access.
  • User interacts 32 with the user data input device, 14 or 14 a , and user data is provided to the security server 13 using the communication link, 15 or 15 a .
  • the security server 13 identifies 33 the user and receives characteristic information about the workstation, 10 or 10 a .
  • the characteristic information about the workstation is, for example, the geographical location of the workstation, the time the request for access is being performed, the type of request and so forth.
  • the security policy resulting from the policy data stored on the secured server 13 examines the workstation data to ascertain 34 whether the identified user is entitled to performed such a request from where the workstation 10 is geographically located. In dependence upon the security policy and the geographical location of the workstation, 10 or 10 a , an at least an authorization method in accordance with the previously stored policy data is selected.
  • a general at a remote location wishes to gain access to the secured server 19 .
  • the general is equipped with the portable workstation 10 a at the remote location.
  • the general uses the user data input device 14 a , in the form of the keyboard 12 a and a biometric sensor, the general provides a password using the keyboard 12 and provides biometric information to the biometric sensor.
  • the security server 13 receives the geographical location of the workstation 10 a and the security server 13 identifies the general. After identification, the policy data is consulted and a method of authentication is determined for general at the workstation 10 a in its surrounding environment.
  • the general's country is part of an international treaty.
  • the general travels from time to time to one of the allied countries.
  • the general has brought the portable workstation 10 a , because it is already configured and the user is familiar to such configuration, in order to access the computer network 300 .
  • This remote workstation 10 a facilitates the general's work during the flight, for example.
  • Access to the secured data stored within the computer network 300 is achievable from any portable workstation 10 a that has capabilities for connection to the security server 13 using the communication link 15 a .
  • the security server 13 detects that the access request originates from an allied foreign country.
  • the security server 13 consults the previously stored policy data in order to determine the security policy the most adequate method of authentication in such a case.
  • the previously stored policy data indicates that for being allowed to access the secured data, the general has to regularly authenticate using the user data input device 14 a .
  • the interval between two successive authentication procedures is determined to be short in accordance with the previously stored policy data.
  • the general is prompted to re-authenticate at 5 minute intervals. This prevents access to the secured data when the portable workstation 10 a is left unattended for a period of time lasting more than 5 minutes, for example.
  • the previously stored policy data randomly selects a fingerprint to be imaged and prompts the general to provide the randomly selected fingertip on the biometric sensor forming part of user data input device 14 a .
  • the authentication verification is, in this case, based upon the use of biometric authentication, thus the previously stored policy data requires a false acceptance (FA) of 1/1,000,000 authentication with a FA of 1/10,000,000 every 15 minutes, which is every third time.
  • FA false acceptance
  • the communication link 15 a employed between the portable workstation 10 a and the security server 13 employs a secured data exchange-encrypted data that is encrypted with an encryption key, or keys—between the portable workstation 10 a and the security server 13 .
  • the general also travels to non-allied countries for various reasons including, for example, for prospecting purpose and for meeting with non-allied military high ranked people.
  • the general brings the portable workstation 10 a for communicating with the security server 13 .
  • the portable workstation 10 a that is assigned to the general is utilized because it is already configured for communicating with the secured server 13 and because the security policy has a prerequisite that the general access the security server 13 from the portable workstation 10 a .
  • the software and hardware used for accessing of the security server 13 are verified and authenticated. For example, before departure from the military headquarters, the remote workstation is verified to ascertain that all the systems are trusted for communicating with the security server 13 .
  • the remote workstation 10 a is configured such that the secured files accessed from a foreign country are read only files and only the scroll down function is used in order to read them on the screen. Further optionally, the files continuously scroll in order to render difficulty in photographing the screen 11 a of the remote workstation 10 a.
  • the security policy indicates that at least three fingerprints randomly selected are to be provided to the user data input device 14 a every three minutes.
  • an office at the military headquarters is considered a secured location.
  • the general had already been subjected to various check points, for example personal verification with a security guard at the entrance gate of the headquarter.
  • the general also provides verification data for accessing the parking area, or an elevator for reaching the office floor.
  • the security system at the military headquarters has a plurality of additional user data input devices for identifying and for performing verification about the general before the general tries to access data on the computer network 300 .
  • biometric information is still provided to a biometric sensor, forming part of the user data input device 14 , and optionally a password is provided to the keyboard 12 . Because the general is within the confines of the military headquarters, the information exchanged between the workstation 10 and the security server 13 is sent using a communication link 15 that is secured. As such, it is highly unlikely that the network communication link 15 is unprotected.
  • certain files that are stored in the computer network 300 are considered sensitive and are protected such that their access is allowed from the workstation 10 in the general's office but these files cannot be saved on a mobile workstation 10 a for future access.
  • the mobile workstation 10 a does not facilitate storing of these secured files because it is portable and is transported to unsecured locations.
  • authentication procedures supported by a sophisticated requirement from the security policy are not necessitated.
  • the secured data stored on the data server 19 is accessible by many users that are part of an organization and that are connected to the security server using a plurality of communication links 15 .
  • the security policy is optionally different depending on the hierarchy within the organization. So, for example, when a sergeant attempts to access the secured data from the secured server 14 from their office located within the confines of the headquarters or from a conference room in an allied country, the sergeant is submitted to the same security protocol than the general. However, when the sergeant is requesting access to the secured data from a non-allied country, the access is automatically denied.
  • the security policy requires that another officer having at least the same rank is also permanently present and periodically identified using the user data input device 14 a , where both officers are subject to authentication using the user data input device 14 a coupled with the remote workstation 10 a.
  • a security system based on security policy is flexible, which allows for many variations and adaptations according to external circumstances.
  • the general's remote workstation 10 a crashes 5 minutes before the beginning of a meeting in a non-allied country.
  • a security policy requires that to use another remote workstation, at least two user data input devices, for example a smart card reader and a biometric sensor, be connected to the another remote workstation.
  • the configuration of another remote workstation is adapted such that it is preferably accepted by the security server 13 .
  • the security policy derived from the previously stored policy data in such condition is not identical to the previous one and it requests that the general authenticates to a FA of 1/100,000,000 every 3 minutes.
  • the embodiments of the invention are not limited to military security but are adaptable to any system that is for protection of data and the protection of data exchange.

Abstract

A method of authorizing a user at a location is disclosed. A user data input device is used for receiving of user information. In dependence upon stored policy data, a location of the workstation and other characteristics thereof, an authorization method for the user is determined. In the authorization method, the user is first identified with the security server and then optionally authorized thereby. The stored policy data results in different determined methods for different authorization procedures based upon the user data and the characteristic of the user data input device and the workstation.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS:
This application is a continuation in part of U.S. patent application Ser. No. 09/625,548 Filed: Jul. 25, 2000 (U.S. Pat. No. 7,137,008), which is hereby incorporated by reference in its entirety.
FIELD OF THE INVENTION
This invention relates generally to authorization of individuals and more particularly relates to a method of authorizing a user at a workstation according to a security policy that is dependent upon previously stored policy data and data relating to the workstation that is for use by the user.
BACKGROUND OF THE INVENTION
Computer security is fast becoming an important issue. With the proliferation of computers and computer networks into all aspects of business and daily life—financial, medical, education, government, and communications—the concern over secured file access is growing. Using passwords is a common method of providing security. Password protection and/or combination type locks are employed for computer network security, automatic teller machines, telephone banking, calling cards, telephone answering services, houses, and safes. These systems generally require the knowledge of an entry code that has been selected by a user or has been pre-set.
Pre-set codes are often forgotten, as users have no reliable method of remembering them. Writing down the codes and storing them in close proximity to an access control device (i.e. the combination lock) results in a secured access control system with a very insecure code. Alternatively, the nuisance of trying several code variations renders the access control system more of a problem than a solution.
Password systems are known to suffer from other disadvantages. Usually, a user specifics passwords. Most users, being unsophisticated users of security systems, choose passwords that are relatively insecure. As such, many systems protected by passwords are easily accessed through a simple trial and error process.
A security access system that provides substantially secured access and does not require a password or access code is a biometric identification system. A biometric identification system accepts unique biometric information from a user and identifies the user by matching the information against information belonging to registered users of the system. One such biometric identification system is a fingerprint recognition system.
In a fingerprint input transducer or sensor, a finger tip is usually pressed against a flat surface, such as a side of a glass plate. The ridge and valley pattern of the finger tip is sensed by a sensing means such as an interrogating light beam. Fingerprint characterization is well known and involves many aspects of fingerprint analysis.
An example of the use of fingerprint for securing access to a protected system is provided by the U.S. Pat. No. 5,229,764 to Matchett et al. There is disclosed a method of continuously analyzing biometric data from a biometric input device at intermittent intervals and selectively granting or denying access to a particular protected system based on the biometric input. The system is a continuous biometric authentication, which reads from a variety of biometric personal identification devices. The system acts as a continuously functioning “gate” between a protected system and a prospective user. Biometric data pertaining to a prospective user is stored for reference within the system. Upon a prospective user wishing to gain access to the protected system the user must interface with the system, which compares the prospective user's biometric data to the stored reference data. This comparison must not only be acceptably close in similarity in order to gain access to the protected system, it must also continue to be close in subsequent comparisons in order for access to the protected system or device to continue.
Computer networks typically store information such as user profiles, user authorization for access and vast amounts of data. End user terminals are a critical component of the computer network, in that they provide external access to the network by offering a means of transmitting input data to the network and by offering a means of reading information from the network. Each of these terminals poses a security risk to data stored on the network and controlling unauthorized access to the data stored on the network is of critical importance. Though biometric authentication is a secured means of identifying a user, it has not penetrated the marketplace sufficiently to be implemented on most desktop computers. Furthermore, most end user terminals are not equipped with a biometric data input device. Since most forms of biometric authentication require specialized hardware, market penetration is slow and requires both acceptance of the new hardware and a pressing need.
Typical uses of user authentication include system access, user identification, and access to a secured key database. Often a secured key database is encrypted with a key that is accessible through user authentication or identification.
Key management systems are well known. One such system, by Entrust® Technologies Limited, is currently commercially available. Unfortunately, current key management systems are designed for installation on a single computer for use with a single fixed user authorization method and for portability between computers having a same configuration. As such, implementation of enhanced security through installation of biometric input devices is costly and greatly limits portability of key databases. Password based protection of key databases is undesirable because of the inherent insecure nature of most user selected passwords.
In the past, a system was provided with a single available security system. Typically, prior art systems require a password. Alternatively, a system could require a password and a biometric, or another predetermined combination of user authorization information. Unfortunately, passwords are inherently insecure. Further, because of the limited number of workstations equipped with biometric scanners and so forth, it is difficult to implement a system secured with biometrics.
One variation in the above systems is access from external locations. Typically, organisations have a further security process for remote access to their sites, the further process required passing through a gateway into their sites. Thus, a user wishing remote access to a system must pass a first level of security to gain access to the network and another level of security to gain access to data stored therein. Both of these security processes are fixed and are implemented automatically when users try to pass through secured access gateways.
It would be advantageous to provide a method of user authorization that is flexible enough to work on different workstations and to accommodate user needs of different users at those different workstations. It is therefore an object of the invention to determine an authorization procedure for execution on a workstation based upon stored policy data.
SUMMARY OF THE INVENTION
In accordance with the invention there is provided a method of authorizing a user in communication with a workstation that is in communication with a server comprising: providing data relating to the workstation to the server; determining at the server based upon the data relating to the workstation and on previously stored policy data at least an authorization method for authorizing the user; receiving by the workstation of user data from the user; and, registering the user data against previously stored user data in accordance with the determined at least an authorization method to perform at least one of identifying and authorizing the user in dependence upon the data relating to the workstation.
In accordance with the invention there is provided a method of authorizing a user for providing secure access to a data with a predetermined level of security: providing a workstation in communication with a server; providing first data from the workstation to the server, the first data relating to the workstation, the first data being different for a same workstation under different security affecting operating conditions; determining based on the first data and a security policy, an authorization method for use by a user of the workstation, the authorization method for providing at least the predetermined level of security in light of the first data and selected from a plurality of authorization methods; and authorizing a user of the workstation in accordance with the authorization method for providing access to second data from the server, the provided access having at least the predetermined level of security.
In accordance with the invention there is provided a system for authorizing a user for providing secure access to a data with a predetermined level of security comprising: a workstation in communication with a server; means for providing first data from the workstation to the server, the first data relating to the workstation, the first data being different for a same workstation under different security affecting operating conditions; means for determining based on the first data and a security policy, an authorization method for use by a user of the workstation, the authorization method for providing at least the predetermined level of security in light of the first data and selected from a plurality of authorization methods; and means for authorizing a user of the workstation in accordance with the authorization method for providing access to second data from the server, the provided access having at least the predetermined level of security. The programmatic information to perform one or more of the above described methods may be stored in a tangible form including optical storage media, magnetic storage media, or logical storage media. The programmatic information includes compiled object code, compilable source code or byte code, or interpretable source or byte code.
BRIEF DESCRIPTION OF THE DRAWINGS
An exemplary embodiment of the invention will now be described in conjunction with the attached drawings, in which:
FIG. 1 illustrates a flow diagram of a prior art method of accessing secured data;
FIG. 2 illustrates a flow diagram of a prior art method of accessing secured data;
FIG. 3 a illustrates a simplified diagram of a network, that includes a local workstation, in accordance with an embodiment of the present invention;
FIG. 3 b illustrates a simplified diagram of a network, that includes a remote workstation, in accordance with an embodiment of the present invention;
FIG. 4 illustrates a first flow diagram of a method of performing user authentication in accordance with an embodiment of the invention; and,
FIG. 5 illustrates a second flow diagram of a method of performing user authentication in accordance with an embodiment of the invention.
 DETAILED DESCRIPTION OF EMBODIMENTS OF THE INVENTION
Referring to FIG. 1, a simplified flow diagram of a prior art method of accessing secured data is shown for use in a network comprising a plurality of computers each having a biometric imaging device. A key data file comprises a cryptographic key, which is secured using a biometric authentication method. According to the method, biometric authentication is required to access the cryptographic key. For example, the cryptographic key is encrypted using a key secured by the biometric information. Upon presentation of appropriate biometric information, the secured cryptographic key is accessed, the cryptographic key is decrypted and the decrypted cryptographic key is used to encrypt or decrypt data files. The method of accessing the cryptographic key is predetermined and is unchanging in nature. Of course, other methods of securing cryptographic keys using biometric authentication are also applicable. For example, secured key locations are determinable by the user authentication process. Thus, if a key is secured using a fingerprint, access is through provision and analysis of a fingerprint and it is therefore necessary to outfit each system where a user may require access to the key with a biometric imaging device. Similarly, when the key is secured with a token, such as a smart card, the token interface must be installed on each system where the user may require access to the key. Presently, it is common to secure the key with a user password since almost all systems are equipped with a keyboard. Unfortunately, user passwords suffer from many security related disadvantages.
For convenience, key data files are typically transportable in the form of an encrypted data file containing the key data and security data necessary to access the encrypted data file. Unfortunately, each other computer system to which the key data file is transported must support a same authentication process in order to provide access to the key data file. For example, when the second computer has no biometric information input device, the user authorization method for accessing the secured key cannot be executed and the secured key is not accessible. Without the secured key, the encrypted cryptographic key data cannot be accessed when desired. Alternatively, a method of extracting the keys from the key data file absent user authentication is necessary. Such a method is not desirable since it greatly reduces security. This exemplary problem is analogous to problems in network access, file access, network security, document authentication, and so forth.
Referring to FIG. 2, a prior art method of accessing secured data using a smart card based verification process, but absent a biometric verification process, is shown. In this system, a user password, or card based user authentication, is employed. A smart card having a key data file stored therein is placed into a smart card reader. A user is prompted for user authentication in the form of a user password. Once the user password is verified, access to the cryptographic key is permitted and encrypted data files are accessible. One such method is to employ the password or a predetermined portion thereof as a key for encrypting the cryptographic key. Another such method involves providing access to a secured key upon verification of the password and using the secured key to access the cryptographic key. As is evident to those of skill in the art, conventional key data files cannot be transferred from a system employing a method, such as that of FIG. 1, to a system employing a different method, such as that of FIG. 2. Because of this, prior art systems are typically operated in a less than secured fashion. Alternatively, transportability and remote access is reduced where biometric user authentication is conducted. Further, expenses are greatly increased in providing a homogenous hardware and software base for all systems within an organization.
Referring now to FIGS. 3 a, 3 b, a simplified diagram of a computer network 300 that includes a workstation 10 comprising a monitor 11 and a keyboard 12 connected to a server 13 through a communication link 15 is shown in accordance with a first embodiment of the invention. A user data input device 14 is coupled to the workstation 10 for communicating therewith. The user data input device 14 is in the form of, for example, a smart card reader, a biometric sampling device such as a fingerprint imager, a voice recognition system, a retinal imager or the like. The keyboard 12 utilized for optionally typing a password when added security is concerned. The computer network 300 comprises a security server 13 for storing of policy data and a data server 19 for providing of secured data to the workstation 10 using the communication link 15. The security server 13 is also for controlling access to secured data stored on the data server 19. Referring to FIG. 3 b, a mobile workstation 10 a is shown that is connected to the security server 13 using an unsecured communication link 15 a, which is, for example, provided by, at least in part, using a wireless connection, or a telephone line connection, or some other form of publicly used connection. This type of connection is differentiated from communication link 15 in that communication link is 15 is of the type typically found in a secured environment, such as a military headquarters. The mobile workstation 10 a includes a keyboard 12 a, a portable user data input device 14 a, a display 11 a and a communication link for communicating with the secured server using the unsecured communication link 15 a.
A user desiring access to secured data stored in the data server 19 of the computer network 300 provides their user information to the user data input device, 14 or 14 a, which is in communication with the workstation 10, or mobile workstation 10 a, respectively. Upon the provision of their information to the user data input device 14 or 14 a, the workstation 10 or 10 a provides the user data and workstation data to the security server 13 via the communication link, 15 or 15 a, respectively.
At the security server 13, in dependence upon data relating to the workstation and on previously stored policy data, an at least an authorization method for authorizing the user is determined. Furthermore the security server performs an operation of registering the user data against previously stored user data in accordance with the determined at least an authorization method. Thereafter, the security server identifies the user and optionally authorizes the user to access secured data in dependence upon the data relating to the workstation and the user data. Optionally, in order to increase security further, the security policy is determined from a plurality of predetermined security policies based on previously stored policy data and data relating to the workstation, where determining of the at least an authorization method for the user is according to the determined security policy.
Of course, in dependence upon the user data and the workstation data, such as the geographical location thereof, the authorization method is varied because a security policy that depends upon the previously stored policy data and the user data is different. Of course, even after authentication, the user does not necessarily have access to secured data stored on the server 19. In some cases because of the user data and the workstation data, the user is denied access to the secured data.
Preferably the workstation, 10 or 10 a, transforms the user information in such a manner that it is transmittable using the communication link, 15 or 15 a, even when the communication link, 15 or 15 a, is unsecured. The transformation of the user data is such that it is transmitted along with other data risking potential deciphering of the user information during transmission. Such transformation includes, for example, encrypting or hashing the user information using keys or hashing algorithms.
Alternatively, when access to the secured data is requested, the security server 13 receives the geographical location of the workstation, 10 or 10 a, from which the request has originated. FIG. 4 illustrates a flowchart in accordance with the preferred embodiment of the invention for a method of obtaining secured access to secured data stored on the server 19 that forms part of the computer network 300. The method is based on previously stored policy data, which determines the at least an authorization method for authorizing the user. The previously stored policy data, for example, takes into account a type of user data input device, 14 or 14 a, a geographical location of the workstation, 10 or 10 a, and the type of communication link 15 or 15 a between the workstation 10 or 10 a and the security server 13.
Referring to FIG. 4, steps for authorizing of a user in communication with a workstation, 10 or 10 a, are shown. The user interacts with the user data input device 14 or 14 a, the workstation, 10 or 10 a, receives 20 user data from the user data input device, 14 or 14 a, in communication with the workstation, 10 or 10 a.
In dependence upon workstation data and on previously stored policy data an at least an authorization method for authorizing the user is determined 21. The user data is then registered 22 against previously stored user data in accordance with the determined at least an authorization method to perform at least one of identifying and authorizing the user in dependence upon the data relating to the workstation. In dependence upon combinations of user data and workstation data, the security server 13 determines different methods for authorization the user and in dependence upon. Granting the user access 23 to the secured data is in accordance with the determined at least an authorization method. For example, the identifying and authorizing of the user is dependent upon a geographical location of the mobile workstation 10 a.
In dependence upon the type of access being sought by the user, the previously stored policy data determines the type of user data that is required from the security device. Further optionally, the authentication of the user is dependent upon a time that the request for authentication is being made. If, for example, the stored policy data determines that the type of request and the type of communication link between the workstation, 10 or 10 a, and the security server 13 requires added security, then the user is prompted to provide user data to the user data input device at random intervals. Examples of user data are biometric data and password data, but are not limited thereto.
Optionally, in dependence upon a set of user data received from the user data input device, 14 or 14 a, a further authorization method is determined in dependence upon a further set of user data received from a further user data input device. The workstation, 10 or 10 a, for example, receives biometric data from the user data input device in the form of a fingertip contact imaging sensor and additionally prompts the user for a password to be entered on the keyboard, 12 or 12 a.
Referring to FIGS. 3 a and 3 b, with the use of the security processor 16, an attempt to access secured data or perform an operation is detected by the security processor 16 pertaining to the computer network 300. A processor from the workstation 10 determines the type of user data input device, 14 or 14 a, connected to the workstation and sends user data to the security processor 16. According to the authorization procedure performed and the trustworthiness of the user data input device, the user is authorized to perform operations only within predetermined limits indicated by the security level.
Accordingly, policy data is dependent upon any plurality of parameters about the workstation, 10 or 10 a, and its communication link, 15 or 15 a, to the security server 13.
For example, a geographical location of the workstation, 10 or 10 a, is used for forming a portion of the previously stored policy data. Also, a user ID optionally forms a portion of the previously stored policy data. Other examples of parameters that affect the previously stored policy data are: the date, the time, the day of the week, the country, the data being accessed, the communication link, 15 or 15 a, between the workstation, 10 or 10 a, and the security server 13, the available user data input devices, 14 or 14 a, the type of secured data being requested from the data server 19, and so forth. As such, a portable workstation 10 a that is presently geographically located in a less than secured location, preferably utilizes “high” security authentication process while the same workstation, for example workstation 10, within a corporate headquarters utilizes a more “normal” level of security authentication. Referring now to FIG. 5, a user makes 30 a request to access the computer network 300 using the workstation, 10 or 10 a, and the user data input device, 14. The workstation 10 records 31 a request for access. User interacts 32 with the user data input device, 14 or 14 a, and user data is provided to the security server 13 using the communication link, 15 or 15 a. The security server 13 identifies 33 the user and receives characteristic information about the workstation, 10 or 10 a. The characteristic information about the workstation is, for example, the geographical location of the workstation, the time the request for access is being performed, the type of request and so forth. The security policy resulting from the policy data stored on the secured server 13 examines the workstation data to ascertain 34 whether the identified user is entitled to performed such a request from where the workstation 10 is geographically located. In dependence upon the security policy and the geographical location of the workstation, 10 or 10 a, an at least an authorization method in accordance with the previously stored policy data is selected.
For example in accordance with the security policy no access is to be provided between midnight and 6:00 am, the user requesting an access during this period of time is automatically denied access.
To facilitate the understanding of the invention an example utilizing military security server access will be used to accompany the description of the preferred embodiments.
Referring to the apparatus shown in FIG. 3 b, and the flow diagrams shown in FIGS. 4 and 5, in this example, a general at a remote location wishes to gain access to the secured server 19. The general is equipped with the portable workstation 10 a at the remote location. Using the user data input device 14 a, in the form of the keyboard 12 a and a biometric sensor, the general provides a password using the keyboard 12 and provides biometric information to the biometric sensor. The security server 13 receives the geographical location of the workstation 10 a and the security server 13 identifies the general. After identification, the policy data is consulted and a method of authentication is determined for general at the workstation 10 a in its surrounding environment.
Referring to the same example, the general's country is part of an international treaty. Thus the general travels from time to time to one of the allied countries. The general has brought the portable workstation 10 a, because it is already configured and the user is familiar to such configuration, in order to access the computer network 300.
This remote workstation 10 a facilitates the general's work during the flight, for example. Access to the secured data stored within the computer network 300 is achievable from any portable workstation 10 a that has capabilities for connection to the security server 13 using the communication link 15 a. In an attempt to access sensitive data stored within the computer network 300 using the portable workstation 10 a, the security server 13 detects that the access request originates from an allied foreign country. The security server 13 consults the previously stored policy data in order to determine the security policy the most adequate method of authentication in such a case. When located in an allied country, the previously stored policy data indicates that for being allowed to access the secured data, the general has to regularly authenticate using the user data input device 14 a. Because of the nature of the data being access by the general, the interval between two successive authentication procedures is determined to be short in accordance with the previously stored policy data. Thus, for example, the general is prompted to re-authenticate at 5 minute intervals. This prevents access to the secured data when the portable workstation 10 a is left unattended for a period of time lasting more than 5 minutes, for example. Alternatively, the previously stored policy data randomly selects a fingerprint to be imaged and prompts the general to provide the randomly selected fingertip on the biometric sensor forming part of user data input device 14 a. The authentication verification is, in this case, based upon the use of biometric authentication, thus the previously stored policy data requires a false acceptance (FA) of 1/1,000,000 authentication with a FA of 1/10,000,000 every 15 minutes, which is every third time.
Preferably, the communication link 15 a employed between the portable workstation 10 a and the security server 13 employs a secured data exchange-encrypted data that is encrypted with an encryption key, or keys—between the portable workstation 10 a and the security server 13.
In another example, the general also travels to non-allied countries for various reasons including, for example, for prospecting purpose and for meeting with non-allied military high ranked people. When travelling in a non-allied country, the general brings the portable workstation 10 a for communicating with the security server 13. The portable workstation 10 a that is assigned to the general is utilized because it is already configured for communicating with the secured server 13 and because the security policy has a prerequisite that the general access the security server 13 from the portable workstation 10 a. Thus, preferably before the general takes the remote workstation 10 a to an unsecured location, the software and hardware used for accessing of the security server 13 are verified and authenticated. For example, before departure from the military headquarters, the remote workstation is verified to ascertain that all the systems are trusted for communicating with the security server 13.
Optionally, as a further security protection, the remote workstation 10 a is configured such that the secured files accessed from a foreign country are read only files and only the scroll down function is used in order to read them on the screen. Further optionally, the files continuously scroll in order to render difficulty in photographing the screen 11 a of the remote workstation 10 a.
Because the general is in a non-allied country, the authentication of a FA of 1/10,000,000 every 3 minutes and to a FA of 1/100,000,000 every 15 minutes, which is every fifth time is utilized, for example. The security policy, for example, indicates that at least three fingerprints randomly selected are to be provided to the user data input device 14 a every three minutes.
In another example, it is inferred that an office at the military headquarters is considered a secured location. Furthermore, to reach the office, the general had already been subjected to various check points, for example personal verification with a security guard at the entrance gate of the headquarter. Eventually, the general also provides verification data for accessing the parking area, or an elevator for reaching the office floor. Thus, the security system at the military headquarters has a plurality of additional user data input devices for identifying and for performing verification about the general before the general tries to access data on the computer network 300.
Once the general is at the office and at the workstation 10, biometric information is still provided to a biometric sensor, forming part of the user data input device 14, and optionally a password is provided to the keyboard 12. Because the general is within the confines of the military headquarters, the information exchanged between the workstation 10 and the security server 13 is sent using a communication link 15 that is secured. As such, it is highly unlikely that the network communication link 15 is unprotected.
Optionally, certain files that are stored in the computer network 300 are considered sensitive and are protected such that their access is allowed from the workstation 10 in the general's office but these files cannot be saved on a mobile workstation 10 a for future access. The mobile workstation 10 a does not facilitate storing of these secured files because it is portable and is transported to unsecured locations. Of course, for other types of files, such as social events, headquarter phone lists, or for any general information stored within the network 300, authentication procedures supported by a sophisticated requirement from the security policy are not necessitated.
The secured data stored on the data server 19 is accessible by many users that are part of an organization and that are connected to the security server using a plurality of communication links 15. Of course, in dependence upon the user identification, the security policy is optionally different depending on the hierarchy within the organization. So, for example, when a sergeant attempts to access the secured data from the secured server 14 from their office located within the confines of the headquarters or from a conference room in an allied country, the sergeant is submitted to the same security protocol than the general. However, when the sergeant is requesting access to the secured data from a non-allied country, the access is automatically denied.
Similarly, when a higher ranked officer, a lieutenant for example, requests access to the secured data from a non-allied country, the security policy requires that another officer having at least the same rank is also permanently present and periodically identified using the user data input device 14 a, where both officers are subject to authentication using the user data input device 14 a coupled with the remote workstation 10 a.
Advantageously, a security system based on security policy is flexible, which allows for many variations and adaptations according to external circumstances. For example, the general's remote workstation 10 a crashes 5 minutes before the beginning of a meeting in a non-allied country. A security policy requires that to use another remote workstation, at least two user data input devices, for example a smart card reader and a biometric sensor, be connected to the another remote workstation. In such a case, by downloading the information stored on the smart card, the configuration of another remote workstation is adapted such that it is preferably accepted by the security server 13. Of course, the security policy derived from the previously stored policy data in such condition is not identical to the previous one and it requests that the general authenticates to a FA of 1/100,000,000 every 3 minutes.
As it is apparent to a person with skill in the art, the embodiments of the invention are not limited to military security but are adaptable to any system that is for protection of data and the protection of data exchange.
Numerous embodiments may be envisaged without departing from the spirit and scope of the invention.

Claims (23)

What is claimed is:
1. A method of authorizing a user to access a workstation using a security server, the method comprising:
receiving security data relating to computing conditions in which an authorization will be performed, wherein the security data comprises at least one indication of a type of communication link between the workstation and the security server, a geographic location of the workstation, or a time of access of the workstation;
determining a security policy from a plurality of predetermined security policies based on previously stored policy data and the received indication of the type of communication link between the workstation and the security server, the geographic location of the workstation, or the time of access of the workstation;
determining an authorization method for authorizing the user, wherein the authorization method is determined from the determined security policy in accordance with the received indication of the type of communication link between the workstation and the security server, the geographic location of the workstation, or the time of access of the workstation;
receiving user identification data; and
registering the user identification data against stored user data in accordance with the determined authorization method, wherein different authorization methods for authorizing the user are determined upon receipt of different security data, and wherein the security data does not include identification information for a particular user.
2. The method according to claim 1 wherein the authorization method comprises prompting the user to provide the user identification data at random time intervals.
3. The method according to claim 1 wherein the security data comprises the geographic location of the workstation.
4. The method according to claim 3, further comprising analyzing the geographic location of the workstation and, based on the analysis, determining whether the workstation is in a secure location.
5. The method according to claim 1 wherein the security data further comprises data relating to available user data input devices for providing input to the workstation.
6. The method according to claim 1 wherein the security data further comprises data identifying a type of secured data being requested from the security server by the workstation.
7. The method according to claim 1 wherein the user identification data is biometric data.
8. The method according to claim 1, further comprising allowing the user to access secured data in accordance with the determined authorization method.
9. A method of authorizing a user to access secure data having a predetermined level of security via a workstation, the method comprising:
acquiring security data relating to computing conditions in which an authorization will be performed, wherein the security data comprises at least one indication of a type of communication link between the workstation and the secure data, a geographic location of the workstation, or a time of access of the workstation, and wherein the security data is different for the workstation under different security-affecting operating conditions;
determining a security policy from a plurality of predetermined security policies based on previously stored policy data and the acquired indication of the type of communication link between the workstation and the security server, the geographic location of the workstation, or the time of access of the workstation;
determining an authorization method for authorizing the user, wherein the authorization method is selected from a plurality of authorization methods based on the security data and the determined security policy; and
authorizing the user with the authorization method for providing access to the secure data via the workstation, wherein different authorization methods for authorizing the user are determined upon receipt of different security data, and wherein the security data does not include identification information for a particular user.
10. The method according to claim 9 wherein the authorizing comprises prompting the user to provide user identification data at random time intervals.
11. The method according to claim 9 wherein the security data comprises the geographic location of the workstation.
12. The method according to claim 11, further comprising analyzing the geographic location of the workstation and, based on the analysis, determining whether the workstation is in a secure location.
13. The method according to claim 9 wherein the security data further comprises data relating to available user data input devices for providing input to the workstation.
14. The method according to claim 9 wherein the security data further comprises data identifying a type of secure data being accessed by the user.
15. The method according to claim 9 wherein the authorizing comprises providing biometric data of the user to a biometric authentication device.
16. The method according to claim 9, further comprising allowing the user to access the secure data in accordance with the determined authorization method.
17. A system for authorizing a user to access secure data having a predetermined level of security, the system comprising:
a workstation configured to provide security data relating to computing conditions in which an authorization will be performed, wherein the security data comprises at least one indication of a type of communication link between the workstation and the secure data, a geographic location of the workstation, or a time of access of the workstation, and wherein the security data is different for the workstation under different security-affecting operating conditions;
a security server configured to—
determine a security policy from a plurality of predetermined security policies based on previously stored policy data and the indication of the type of communication link between the workstation and the security server, the geographic location of the workstation, or the time of access of the workstation; and
determine an authorization method for a user of the workstation, wherein—
the authorization method provides at least a predetermined level of security corresponding to the indication of the type of communication link between the workstation and the security server, the geographic location of the workstation, or the time of access of the workstation; and
the authorization method is selected from a plurality of authorization methods based on the indication of the type of communication link between the workstation and the security server, the geographic location of the workstation, or the time of access of the workstation; and
different authorization methods for authorizing the user are determined upon receipt of different security data, and wherein the security data does not include identification information for a particular user;
wherein the workstation is further configured to provide user identification data in accordance with the determined authorization method; and
wherein the server is further configured to use the user identification data to authorize the user in accordance with the authorization method.
18. The system according to claim 17 wherein—
the determined authorization method specifies a biometric authentication device; and
the workstation comprises the biometric authentication device which the workstation uses to obtain the user identification data in accordance with the determined authorization method.
19. A computer-readable storage device having instructions stored thereon, the instructions comprising:
instructions for receiving security data relating to computing conditions in which an authorization will be performed, wherein the security data comprises least one indication of a type of communication link between the workstation and the security server, a geographic location of the workstation, or a time of access of the workstation;
instructions for determining a security policy from a plurality of predetermined security policies based on previously stored policy data and the indication of the type of communication link between the workstation and the security server, the geographic location of the workstation, or the time of access of the workstation;
instructions for determining an authorization method for authorizing the user, wherein the authorization method is determined from the security policy in accordance with the received indication of the type of communication link between the workstation and the security server, the geographic location of the workstation, or the time of access of the workstation;
instructions for receiving user identification data; and
instructions for registering the user identification data against stored user data in accordance with the determined authorization method to authorize the user, wherein different authorization methods for authorizing the user are determined upon receipt of different security data, and wherein the security data does not include identification information for a particular user.
20. A security server for authorizing a user to access secure data having a predetermined level of security via a user workstation, the security server comprising:
an input device configured to receive security data relating to computing conditions in which an authorization will be performed, wherein the security data comprises at least one indication of a type of communication link between the user workstation and the secure data, a geographic location of the user workstation, or a time of access of the user workstation, and wherein the security data is different for the user workstation under different security affecting operating conditions; and
a processing device configured to:
determine a security policy from a plurality of predetermined security policies based on previously stored policy data and the indication of the type of communication link between the workstation and the security server, the geographic location of the workstation, or the time of access of the workstations;
determine an authorization method for authorizing the user workstation, wherein the authorization method is selected from a plurality of different authorization methods based on receipt of different security data and the determined security policy, and wherein the security data does not include identification information for a particular user, and wherein the provided access has at least the predetermined level of security.
21. The security server according to claim 20 wherein the input device receives biometric data of the user from a biometric authentication device and provides the biometric data to the processing device for processing in accordance with the authorization method.
22. A security server for authorizing a user to access a workstation, the security server comprising:
an input device that receives security data relating to computing conditions in which an authorization will be performed, wherein the security data comprises at least one indication of a type of communication link between the workstation and the security server, a geographic location of the workstation, or a time of access of the workstation; and
a processing device that—
determines a security policy from a plurality of predetermined security policies based on previously stored policy data and the indication of the type of communication link between the workstation and the security server, the geographic location of the workstation, or the time of access of the workstation;
determines an authorization method for authorizing the user, wherein the authorization method is determined from the determined security policy in accordance with the received indication of the type of communication link between the workstation and the security server, the geographic location of the workstation, or the time of access of the workstation; and
registers user identification data provided by the user against stored user data in accordance with the determined authorization method to authorize the user, wherein different authorization methods for authorizing the user are determined upon receipt of different security data, and wherein the security data does not include identification information for a particular user.
23. The security server according to claim 22 wherein the input device receives biometric data of the user from a biometric authentication device and provides the biometric data to the processing device as the user identification data for registration in accordance with the determined authorization method.
US10/847,884 2000-07-25 2004-05-19 Flexible method of user authentication Expired - Lifetime US9098685B2 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US10/847,884 US9098685B2 (en) 2000-07-25 2004-05-19 Flexible method of user authentication
EP05291070A EP1603003A1 (en) 2004-05-19 2005-05-18 Flexible method of user authentication

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US09/625,548 US7137008B1 (en) 2000-07-25 2000-07-25 Flexible method of user authentication
US10/847,884 US9098685B2 (en) 2000-07-25 2004-05-19 Flexible method of user authentication

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US09/625,548 Continuation-In-Part US7137008B1 (en) 2000-07-25 2000-07-25 Flexible method of user authentication

Publications (2)

Publication Number Publication Date
US20040215980A1 US20040215980A1 (en) 2004-10-28
US9098685B2 true US9098685B2 (en) 2015-08-04

Family

ID=34979755

Family Applications (1)

Application Number Title Priority Date Filing Date
US10/847,884 Expired - Lifetime US9098685B2 (en) 2000-07-25 2004-05-19 Flexible method of user authentication

Country Status (2)

Country Link
US (1) US9098685B2 (en)
EP (1) EP1603003A1 (en)

Families Citing this family (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9098685B2 (en) 2000-07-25 2015-08-04 Activcard Ireland Limited Flexible method of user authentication
US7137008B1 (en) 2000-07-25 2006-11-14 Laurence Hamid Flexible method of user authentication
US20040054790A1 (en) * 2002-09-12 2004-03-18 International Business Machines Corporation Management of security objects controlling access to resources
US20040123112A1 (en) * 2002-12-19 2004-06-24 International Business Machines Corporation Security object providing encryption scheme and key
US7596701B2 (en) * 2004-07-07 2009-09-29 Oracle International Corporation Online data encryption and decryption
US7616764B2 (en) * 2004-07-07 2009-11-10 Oracle International Corporation Online data encryption and decryption
US7929518B2 (en) 2004-07-15 2011-04-19 Broadcom Corporation Method and system for a gigabit Ethernet IP telephone chip with integrated DDR interface
US7779456B2 (en) * 2005-04-27 2010-08-17 Gary M Dennis System and method for enhanced protection and control over the use of identity
EP1875653B1 (en) * 2005-04-29 2018-12-12 Oracle International Corporation System and method for fraud monitoring, detection, and tiered user authentication
US7809354B2 (en) * 2006-03-16 2010-10-05 Cisco Technology, Inc. Detecting address spoofing in wireless network environments
US8739278B2 (en) * 2006-04-28 2014-05-27 Oracle International Corporation Techniques for fraud monitoring and detection using application fingerprinting
US20080115198A1 (en) * 2006-10-31 2008-05-15 Hsu Paul J Multi-factor authentication transfer
US9106422B2 (en) * 2006-12-11 2015-08-11 Oracle International Corporation System and method for personalized security signature
WO2008102754A1 (en) * 2007-02-21 2008-08-28 Nec Corporation Information associating system, user information associating method and program
US8250633B2 (en) * 2007-10-26 2012-08-21 Emc Corporation Techniques for flexible resource authentication
WO2014069978A1 (en) * 2012-11-02 2014-05-08 Silverlake Mobility Ecosystem Sdn Bhd Method of processing requests for digital services
US9836585B2 (en) * 2013-03-15 2017-12-05 Konica Minolta Laboratory U.S.A., Inc. User centric method and adaptor for digital rights management system
EP3120281B1 (en) 2014-03-18 2018-03-21 British Telecommunications public limited company Dynamic identity checking
EP3120282B1 (en) 2014-03-18 2019-07-31 British Telecommunications public limited company User authentication
US9558377B2 (en) * 2015-01-07 2017-01-31 WaveLynx Technologies Corporation Electronic access control systems including pass-through credential communication devices and methods for modifying electronic access control systems to include pass-through credential communication devices
US11818159B2 (en) 2019-12-11 2023-11-14 Target Brands, Inc. Website guest risk assessment and mitigation
US11805112B2 (en) * 2021-02-08 2023-10-31 Cisco Technology, Inc. Enhanced multi-factor authentication based on physical and logical proximity to trusted devices and users
US11863549B2 (en) 2021-02-08 2024-01-02 Cisco Technology, Inc. Adjusting security policies based on endpoint locations

Citations (48)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4353056A (en) 1980-06-05 1982-10-05 Siemens Corporation Capacitive fingerprint sensor
US4596898A (en) 1984-03-14 1986-06-24 Computer Security Systems, Inc. Method and apparatus for protecting stored and transmitted data from compromise or interception
US5109427A (en) 1989-11-13 1992-04-28 Goldstar Co., Ltd. Fingerprint recognition device using a hologram
US5187748A (en) 1990-07-21 1993-02-16 Goldstar, Inc. Optical apparatus for fingerprint identification system
US5187482A (en) 1992-03-02 1993-02-16 General Electric Company Delta sigma analog-to-digital converter with increased dynamic range
US5229764A (en) * 1991-06-20 1993-07-20 Matchett Noel D Continuous biometric authentication matrix
US5233404A (en) 1989-09-28 1993-08-03 Oscan Electro Optics Inc. Optical scanning and recording apparatus for fingerprints
US5677953A (en) 1993-09-14 1997-10-14 Spyrus, Inc. System and method for access control for portable data storage media
US5734718A (en) 1995-07-05 1998-03-31 Sun Microsystems, Inc. NIS+ password update protocol
US5818936A (en) 1996-03-15 1998-10-06 Novell, Inc. System and method for automically authenticating a user in a distributed network system
US5841970A (en) * 1995-09-08 1998-11-24 Cadix, Inc. Authentication method for networks
US5877483A (en) 1995-07-18 1999-03-02 Dell Usa, L.P. Method and apparatus for automatically implementing computer power on and logon functions using encoded ID card
GB2329499A (en) 1997-09-19 1999-03-24 Ibm Controlling access to electronically provided services
WO1999050734A1 (en) 1998-03-31 1999-10-07 At & T Corp. A method of and apparatus for computer security using a transmitting location device
US5970143A (en) 1995-11-22 1999-10-19 Walker Asset Management Lp Remote-auditing of computer generated outcomes, authenticated billing and access control, and software metering system using cryptographic and other protocols
US5978919A (en) 1996-09-18 1999-11-02 Kabushiki Kaisha Toshiba Mobile computer and a method for controlling in a mobile computer
US5995630A (en) 1996-03-07 1999-11-30 Dew Engineering And Development Limited Biometric input with encryption
JPH11338826A (en) 1998-05-21 1999-12-10 Yutaka Hokura User authentication system and user authentication device
US6002748A (en) * 1999-01-27 1999-12-14 Leichner; James L. Disaster alert by telephone system
US6016476A (en) 1997-08-11 2000-01-18 International Business Machines Corporation Portable information and transaction processing system and method utilizing biometric authorization and digital certificate security
US6044465A (en) * 1997-07-07 2000-03-28 International Business Machines Corporation User profile storage on and retrieval from a non-native server domain for use in a client running a native operating system
GB2342744A (en) 1998-10-14 2000-04-19 Toshiba Kk User confirmation using biometrics
US6074434A (en) 1996-06-07 2000-06-13 International Business Machines Corporation Selection of code updates, data updates or new data for client
US6088805A (en) * 1998-02-13 2000-07-11 International Business Machines Corporation Systems, methods and computer program products for authenticating client requests with client certificate information
EP1050790A2 (en) 1999-05-05 2000-11-08 Sun Microsystems, Inc. Cryptographic authorization with prioritized authentication
US6160903A (en) 1998-04-24 2000-12-12 Dew Engineering And Development Limited Method of providing secure user access
US6167517A (en) 1998-04-09 2000-12-26 Oracle Corporation Trusted biometric client authentication
US6193153B1 (en) 1997-04-16 2001-02-27 Francis Lambert Method and apparatus for non-intrusive biometric capture
US6202158B1 (en) * 1997-04-11 2001-03-13 Hitachi, Ltd. Detection method of illegal access to computer system
US6256737B1 (en) * 1999-03-09 2001-07-03 Bionetrix Systems Corporation System, method and computer program product for allowing access to enterprise resources using biometric devices
US6275825B1 (en) 1997-12-29 2001-08-14 Casio Computer Co., Ltd. Data access control apparatus for limiting data access in accordance with user attribute
WO2001065375A1 (en) 2000-03-01 2001-09-07 Bionetrix Systems Corporation System, method and computer program product for an authentication management infrastructure
US6308273B1 (en) * 1998-06-12 2001-10-23 Microsoft Corporation Method and system of security location discrimination
WO2001082190A1 (en) 2000-04-26 2001-11-01 Global Transaction Company Multi-tiered identity verification authority for e-commerce
EP1176489A2 (en) 2000-07-25 2002-01-30 Dew Engineering and Development Limited Flexible method of user authentication
US20020016774A1 (en) 2000-04-28 2002-02-07 Ian Malcolm Pendlebury Network enabled application software system and method
US6389542B1 (en) 1999-10-27 2002-05-14 Terence T. Flyntz Multi-level secure computer with token-based access control
US20030097593A1 (en) 2001-11-19 2003-05-22 Fujitsu Limited User terminal authentication program
US6580356B1 (en) 1998-11-05 2003-06-17 Eckhard Alt Advanced personal identification systems and techniques
EP1326156A2 (en) 2001-12-12 2003-07-09 Pervasive Security Systems Inc. Managing file access via a designated storage area
WO2003062969A1 (en) 2002-01-24 2003-07-31 Activcard Ireland, Limited Flexible method of user authentication
US6609198B1 (en) 1999-08-05 2003-08-19 Sun Microsystems, Inc. Log-on service providing credential level change without loss of session continuity
US6618806B1 (en) 1998-04-01 2003-09-09 Saflink Corporation System and method for authenticating users in a computer network
US6691232B1 (en) 1999-08-05 2004-02-10 Sun Microsystems, Inc. Security architecture with environment sensitive credential sufficiency evaluation
US6910131B1 (en) 1999-02-19 2005-06-21 Kabushiki Kaisha Toshiba Personal authentication system and portable unit and storage medium used therefor
US6961849B1 (en) 1999-10-21 2005-11-01 International Business Machines Corporation Selective data encryption using style sheet processing for decryption by a group clerk
EP1603003A1 (en) 2004-05-19 2005-12-07 Activcard Inc. Flexible method of user authentication
US7191466B1 (en) 2000-07-25 2007-03-13 Laurence Hamid Flexible system and method of user authentication for password based system

Patent Citations (54)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4353056A (en) 1980-06-05 1982-10-05 Siemens Corporation Capacitive fingerprint sensor
US4596898A (en) 1984-03-14 1986-06-24 Computer Security Systems, Inc. Method and apparatus for protecting stored and transmitted data from compromise or interception
US5233404A (en) 1989-09-28 1993-08-03 Oscan Electro Optics Inc. Optical scanning and recording apparatus for fingerprints
US5109427A (en) 1989-11-13 1992-04-28 Goldstar Co., Ltd. Fingerprint recognition device using a hologram
US5187748A (en) 1990-07-21 1993-02-16 Goldstar, Inc. Optical apparatus for fingerprint identification system
US5229764A (en) * 1991-06-20 1993-07-20 Matchett Noel D Continuous biometric authentication matrix
US5187482A (en) 1992-03-02 1993-02-16 General Electric Company Delta sigma analog-to-digital converter with increased dynamic range
US5677953A (en) 1993-09-14 1997-10-14 Spyrus, Inc. System and method for access control for portable data storage media
US5734718A (en) 1995-07-05 1998-03-31 Sun Microsystems, Inc. NIS+ password update protocol
US5877483A (en) 1995-07-18 1999-03-02 Dell Usa, L.P. Method and apparatus for automatically implementing computer power on and logon functions using encoded ID card
US5841970A (en) * 1995-09-08 1998-11-24 Cadix, Inc. Authentication method for networks
US5970143A (en) 1995-11-22 1999-10-19 Walker Asset Management Lp Remote-auditing of computer generated outcomes, authenticated billing and access control, and software metering system using cryptographic and other protocols
US5995630A (en) 1996-03-07 1999-11-30 Dew Engineering And Development Limited Biometric input with encryption
US5818936A (en) 1996-03-15 1998-10-06 Novell, Inc. System and method for automically authenticating a user in a distributed network system
US6074434A (en) 1996-06-07 2000-06-13 International Business Machines Corporation Selection of code updates, data updates or new data for client
US5978919A (en) 1996-09-18 1999-11-02 Kabushiki Kaisha Toshiba Mobile computer and a method for controlling in a mobile computer
US6202158B1 (en) * 1997-04-11 2001-03-13 Hitachi, Ltd. Detection method of illegal access to computer system
US6193153B1 (en) 1997-04-16 2001-02-27 Francis Lambert Method and apparatus for non-intrusive biometric capture
US6044465A (en) * 1997-07-07 2000-03-28 International Business Machines Corporation User profile storage on and retrieval from a non-native server domain for use in a client running a native operating system
US6016476A (en) 1997-08-11 2000-01-18 International Business Machines Corporation Portable information and transaction processing system and method utilizing biometric authorization and digital certificate security
GB2329499A (en) 1997-09-19 1999-03-24 Ibm Controlling access to electronically provided services
US6275825B1 (en) 1997-12-29 2001-08-14 Casio Computer Co., Ltd. Data access control apparatus for limiting data access in accordance with user attribute
US6088805A (en) * 1998-02-13 2000-07-11 International Business Machines Corporation Systems, methods and computer program products for authenticating client requests with client certificate information
WO1999050734A1 (en) 1998-03-31 1999-10-07 At & T Corp. A method of and apparatus for computer security using a transmitting location device
US6618806B1 (en) 1998-04-01 2003-09-09 Saflink Corporation System and method for authenticating users in a computer network
US6167517A (en) 1998-04-09 2000-12-26 Oracle Corporation Trusted biometric client authentication
US6160903A (en) 1998-04-24 2000-12-12 Dew Engineering And Development Limited Method of providing secure user access
US6990588B1 (en) 1998-05-21 2006-01-24 Yutaka Yasukura Authentication card system
EP1085424A1 (en) 1998-05-21 2001-03-21 Yutaka Yasukura Authentication card system
JPH11338826A (en) 1998-05-21 1999-12-10 Yutaka Hokura User authentication system and user authentication device
US6308273B1 (en) * 1998-06-12 2001-10-23 Microsoft Corporation Method and system of security location discrimination
GB2342744A (en) 1998-10-14 2000-04-19 Toshiba Kk User confirmation using biometrics
US6580356B1 (en) 1998-11-05 2003-06-17 Eckhard Alt Advanced personal identification systems and techniques
US6002748A (en) * 1999-01-27 1999-12-14 Leichner; James L. Disaster alert by telephone system
US6910131B1 (en) 1999-02-19 2005-06-21 Kabushiki Kaisha Toshiba Personal authentication system and portable unit and storage medium used therefor
US6256737B1 (en) * 1999-03-09 2001-07-03 Bionetrix Systems Corporation System, method and computer program product for allowing access to enterprise resources using biometric devices
EP1050790A2 (en) 1999-05-05 2000-11-08 Sun Microsystems, Inc. Cryptographic authorization with prioritized authentication
US6711681B1 (en) 1999-05-05 2004-03-23 Sun Microsystems, Inc. Cryptographic authorization with prioritized authentication
US6609198B1 (en) 1999-08-05 2003-08-19 Sun Microsystems, Inc. Log-on service providing credential level change without loss of session continuity
US6691232B1 (en) 1999-08-05 2004-02-10 Sun Microsystems, Inc. Security architecture with environment sensitive credential sufficiency evaluation
US6961849B1 (en) 1999-10-21 2005-11-01 International Business Machines Corporation Selective data encryption using style sheet processing for decryption by a group clerk
US6389542B1 (en) 1999-10-27 2002-05-14 Terence T. Flyntz Multi-level secure computer with token-based access control
WO2001065375A1 (en) 2000-03-01 2001-09-07 Bionetrix Systems Corporation System, method and computer program product for an authentication management infrastructure
WO2001082190A1 (en) 2000-04-26 2001-11-01 Global Transaction Company Multi-tiered identity verification authority for e-commerce
US20020016774A1 (en) 2000-04-28 2002-02-07 Ian Malcolm Pendlebury Network enabled application software system and method
EP1176489A2 (en) 2000-07-25 2002-01-30 Dew Engineering and Development Limited Flexible method of user authentication
US7137008B1 (en) 2000-07-25 2006-11-14 Laurence Hamid Flexible method of user authentication
US7191466B1 (en) 2000-07-25 2007-03-13 Laurence Hamid Flexible system and method of user authentication for password based system
US8296570B2 (en) 2000-07-25 2012-10-23 Activcard Ireland Limited Flexible method of user authentication
US8775819B2 (en) 2000-07-25 2014-07-08 Activcard Ireland Limited Flexible method of user authentication
US20030097593A1 (en) 2001-11-19 2003-05-22 Fujitsu Limited User terminal authentication program
EP1326156A2 (en) 2001-12-12 2003-07-09 Pervasive Security Systems Inc. Managing file access via a designated storage area
WO2003062969A1 (en) 2002-01-24 2003-07-31 Activcard Ireland, Limited Flexible method of user authentication
EP1603003A1 (en) 2004-05-19 2005-12-07 Activcard Inc. Flexible method of user authentication

Non-Patent Citations (29)

* Cited by examiner, † Cited by third party
Title
C.B. Shelman, "Fingerprint Classification-Theory and Application" Proc. 76 Carnahan Conference on Electronic Crime Countermeasures, 1976.
Decision to Refuse for EP1176489; Mailed on Jan. 12, 2011; 9 pages.
EPO Communication for EP1176489; Mailed on Feb. 17, 2006; 5 pages.
European Patent Office, European Search Report, EP Application 01117879.5, Jan. 27, 2005, 2 pages.
European Patent Office, Extended European Search Report, European Patent Application 10185106.1, applicant Activcard Ireland Limited et al., Mar. 25, 2011.
European Search Report for EP1176489; Mailed on Feb. 3, 2005; 3 pages.
European Search Report for EP1603003; Mailed on Oct. 10, 2005; 3 pages.
Examination Report for EP1176489; Mailed on Jun. 27, 2007; 4 pages.
Examination Report for EP1603003; Mailed on Apr. 19, 2007; 5 pages.
Feri Pernus, Stanko Kovacic, and Ludvik Gyergyek, "Minutaie Based Fingerprint Registration" IEEE Pattern Recognition, pp. 1380, 1980.
Final Office Action for U.S. Appl. No. 11/508,463; Mailed on Dec. 17, 2010; 34 pages.
Harvey, Mike. "Why veins could replace fingerprints and retinas as most secure form of ID." Times Online Nov. 11, 2008 .
Harvey, Mike. "Why veins could replace fingerprints and retinas as most secure form of ID." Times Online Nov. 11, 2008 <http://technology.timesonline.co.uk/tol/news/tech-and-web/articles5129384.ece>.
J.A. Ratkovic, F.W. Blackwell, and H.H. Bailey, "Concepts for a Next Generation Automated Fingerprint System" Proc. 78 Carahan Conference on Electronic Crime Countermeasures, 1978.
K. Millard, "An Approach to the Automatic Retrieval of Latent Fingerprints" Proc. 75 Carahan Conference on Electronic Crime Countermensures, 1975.
Moayer and K.S. Fu, "A Syntactic Approach to Fingerprint Pattern Recognition" Memo Np. 73-18, Purdue University, School of Electronic Engineering. 1973.
Moenssens, Andre A., Fingerprint Techniques, Chilton Book Co., 1971.
Non-Final Office Action for U.S. Appl. No. 11/508,463; Mailed on Jul. 8, 2010; 24 pages.
United States Patent and Trademark Office, Final Office Action, U.S. Appl. No. 09/625,548, mailed Apr. 20, 2005, 18 pages.
United States Patent and Trademark Office, Non-Final Office Action, U.S. Appl. No. 09/625,548, mailed Jul. 1, 2004, 18 pages.
United States Patent and Trademark Office, Non-Final Office Action, U.S. Appl. No. 11/508,463, mailed Mar. 19, 2012, 31 pages.
United States Patent and Trademark Office, Non-Final Office Action, U.S. Appl. No. 13/601,758, mailed Sep. 6, 2013, 21 pages.
United States Patent and Trademark Office, Notice of Allowance, U.S. Appl. No. 09/625,548, mailed Dec. 12, 2005, 8 pages.
United States Patent and Trademark Office, Notice of Allowance, U.S. Appl. No. 11/508,463, mailed Jun. 25, 2012, 12 pages.
United States Patent and Trademark Office, Notice of Allowance, U.S. Appl. No. 13/601,758, mailed Mar. 4, 2014, 9 pages.
Wegstein and J.F. Rafferty, The LX39 Latent Fingerprint Matcher, NBS special publication, U.S. Department of Commerce/National Bureau of Standards; No. 500-36, 1978.
Wegstein, An Automated Fingerprint Identification System, NBS special publication, U.S. Department of Commerce/National Bureau of Standards, ISSN 0083-1883; No. 500-89, 1982.
Xiao Qinghan and Bian Zhaoqi, "An approach to Fingerprint Identification by Using the Attributes of Feature Lines of Fingerprint" IEEE Pattern Recognition, pp. 663, 1986.
Yesberg, J.D. et al. "Quantitative Authentication and Vouching", Computers & Security, Elsevier Science Publishers. Amsterdam, NL, vol. 15, No. 7, Jan. 1, 1996, pp. 633-645.

Also Published As

Publication number Publication date
EP1603003A1 (en) 2005-12-07
US20040215980A1 (en) 2004-10-28

Similar Documents

Publication Publication Date Title
EP1603003A1 (en) Flexible method of user authentication
US7447910B2 (en) Method, arrangement and secure medium for authentication of a user
US8775819B2 (en) Flexible method of user authentication
RU2320009C2 (en) Systems and methods for protected biometric authentication
US6219439B1 (en) Biometric authentication system
US8433919B2 (en) Two-level authentication for secure transactions
US7715823B2 (en) Methods and apparatus for restricting access of a user using a cellular telephone
US7191466B1 (en) Flexible system and method of user authentication for password based system
US8751801B2 (en) System and method for authenticating users using two or more factors
JP2950307B2 (en) Personal authentication device and personal authentication method
US20040083394A1 (en) Dynamic user authentication
KR100392792B1 (en) User authentication system and method using a second channel
US20070180263A1 (en) Identification and remote network access using biometric recognition
US20030135764A1 (en) Authentication system and apparatus having fingerprint verification capabilities thereof
US20080313707A1 (en) Token-based system and method for secure authentication to a service provider
US20100115607A1 (en) System and method for device security with a plurality of authentication modes
US20030051173A1 (en) Computer security system
US20050048951A1 (en) Method and system for alternative access using mobile electronic devices
US20050138394A1 (en) Biometric access control using a mobile telephone terminal
JP2006209697A (en) Individual authentication system, and authentication device and individual authentication method used for the individual authentication system
JP2008516339A (en) Security alarm notification using iris detection system
US20190073463A1 (en) Method for secure operation of a computing device
EP1160648A2 (en) Restriction method for utilization of computer file with use of biometrical information, method of logging in computer system and recording medium
JP6840568B2 (en) Authentication system and authentication method
JP4651016B2 (en) Security system

Legal Events

Date Code Title Description
AS Assignment

Owner name: ACTIVCARD INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:HAMID, LAURENCE;REEL/FRAME:016410/0332

Effective date: 20050104

AS Assignment

Owner name: ACTIVCARD CORP.,CALIFORNIA

Free format text: LICENSE AGREEMENT;ASSIGNOR:DISCOBOLUS MANAGEMENT, LLC;REEL/FRAME:016547/0216

Effective date: 20050606

Owner name: ACTIVCARD CORP., CALIFORNIA

Free format text: LICENSE AGREEMENT;ASSIGNOR:DISCOBOLUS MANAGEMENT, LLC;REEL/FRAME:016547/0216

Effective date: 20050606

AS Assignment

Owner name: ACTIVIDENTITY, INC., CALIFORNIA

Free format text: CHANGE OF NAME;ASSIGNOR:ACTIVCARD, INC.;REEL/FRAME:017575/0332

Effective date: 20051108

STCF Information on status: patent grant

Free format text: PATENTED CASE

IPR Aia trial proceeding filed before the patent and appeal board: inter partes review

Free format text: TRIAL NO: IPR2017-00338

Opponent name: EMC CORPORATION, DELL INC.,DENALI INTERMEDIATE INC

Effective date: 20161209

AS Assignment

Owner name: ACTIVIDENTITY CORPORATION, CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:ACTIVIDENTITY, INC.;REEL/FRAME:043360/0645

Effective date: 20131231

Owner name: HID GLOBAL CORPORATION, TEXAS

Free format text: MERGER;ASSIGNOR:ACTIVIDENTITY CORPORATION;REEL/FRAME:043360/0662

Effective date: 20161220

Owner name: PETA HOLDINGS, LLC, NEVADA

Free format text: LICENSE;ASSIGNOR:ACTIVCARD CORP.;REEL/FRAME:043360/0668

Effective date: 20050607

Owner name: INTELLECTUAL VENTURES I LLC, DELAWARE

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:PETA HOLDINGS, LLC;REEL/FRAME:043360/0753

Effective date: 20160506

Owner name: PETA HOLDINGS, LLC, NEVADA

Free format text: LICENSE;ASSIGNORS:ACTIVCARD, INC.;ACTIVCARD IRELAND LIMITED;REEL/FRAME:043639/0294

Effective date: 20050707

STCV Information on status: appeal procedure

Free format text: APPLICATION INVOLVED IN COURT PROCEEDINGS

IPRC Trial and appeal board: inter partes review certificate

Kind code of ref document: K1

Free format text: INTER PARTES REVIEW CERTIFICATE; TRIAL NO. IPR2017-00338, DEC. 9, 2016 INTER PARTES REVIEW CERTIFICATE FOR PATENT 9,098,685, ISSUED AUG. 4, 2015, APPL. NO. 10/847,884, MAY 19, 2004 INTER PARTES REVIEW CERTIFICATE ISSUED MAY 21, 2019

Effective date: 20190521

IPRC Trial and appeal board: inter partes review certificate

Kind code of ref document: K1

Free format text: INTER PARTES REVIEW CERTIFICATE; TRIAL NO. IPR2017-00338, DEC. 9, 2016 INTER PARTES REVIEW CERTIFICATE FOR PATENT 9,098,685, ISSUED AUG. 4, 2015, APPL. NO. 10/847,884, MAY 19, 2004 INTER PARTES REVIEW CERTIFICATE ISSUED MAY 21, 2019

Effective date: 20190521

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 8